How to create and configure an 'Automated patch deployment' task?

Need for automated patch deployment:

With the steady rise in attack vendors and frequency of attacks, it is mandatory to keep all your enterprise endpoints up to date and round the clock patched. The best way to address this problem, is to have a systematic and automated solution that manages multiple OSs and third party application patches effectively. 
The Automate Patch Deployment (APD) feature provides system administrators the ability to deploy patches missing in their network computers automatically, without any manual intervention required.

Automate Patch Deployment (APD) workflow

To keep up with cyber industry's security demands, APD calls for an automated scan(instead of manually scheduled scan) as soon as the server synchronizes with the Central Vulnerability Database. Then missing patches in the network endpoints are then detected and the details are posted to the server. The patches are then downloaded on to server from vendors' site, and deployed automatically as specified in the deployment window. The whole new APD process aims at eliminating the manual efforts for scheduling a scan and the later downloading of missing patches, in order to be up to date with the most recent patches.

Benefits of Automated Patch Deployment

  1. Deployments are fast, and security is tightened due to the readily available patches for deployment.
  2. All the approved patches will be deployed in the very next deployment window immediately after their download. There's no need to wait for the next APD scheduler to invoke the deployment.
  3. Whenever the computer in the network goes offline and encounters the network connectivity again, there could be new vulnerabilities and patches that the computer be missing. In the new APD, when the agent comes into contact with the server, it gets automatically scanned in the next refresh cycle, the missing patches are detected and updated in the server. The agent deploys them in the subsequent refresh cycle during the deployment window. Hence, there is no need to worry about the agent contact time and its prolonged vulnerable status. In the old APD, patch installation might be delayed because the agent contacted the server only after APD schedule.
  4. Deployment in agent continues until it gets zero missing patches for the APD criteria.
  5. You can also see the history of patching in a more detailed view.

apd-workflow

Create and configure an Automate Patch Deployment task:

Pre-requisite:

Configure  Vulnerability Database Settings to specify the time interval for the Central server to synchronize with the Central Vulnerability Database and collect details of the latest patches available.

Note: 

After synchronization with the Central Vulnerability Database, The Central Server will collect details of the latest patches released. In the next refresh policy, agents will automatically scan the computers to check if the newly available patches are missing. With Automate Patch Deployment, these patches will automatically be deployed without any delay. Automate Patch Deployment task ensures all the computers in the network are fully patched.

Steps to create an APD task

Follow the steps given below to create tasks for automating patch deployment for a set of computers:

  1. Navigate to the Patch Mgmt and Automate Patch Deployment. This view will display all the tasks that are created.
  2. Click Automate Task to create a new task for Windows/Mac/Linux and name your task.
  3. Configure required details for the following steps:
    1. Select applications - The type of OS and 3rd party apps to patch
    2. Choose Deployment Policy - Configure how and when to deploy the patches based on your enterprise's patching requirements
    3. Define Target - Select the target computers to deploy patches
    4. Configure Notifications - Receive notifications on the deployment status

Select Applications

Deploy Operating System updates

If you want to deploy updates related only to Operating Systems (example Windows, Mac or Linux), then you can enable one of the given check boxes:

  • Security Updates that involves all security updates of Windows and specify severity as Critical/Important/Moderate/Low/Unrated.
  • Non-Security Updates that involves all non-security related updates from Windows
  • Updates that are applicable only for Windows:
    1. Service Packs - A tested, cumulative set of all hotfixes, security updates, critical updates, and updates for different versions of Windows OS.
    2. Rollups - Cumulative set of updates including both security and reliability updates that are packaged together for easy deployment as a single update and will proactively include updates that were released in the past. 
    3. Optional updates - Also called Preview Rollups, these are optional, cumulative set of new updates that are packaged together and deployed ahead of the release of next Monthly Rollup for customers to proactively download, test and provide feedback.
    4. Feature packs - New product functionality that is included in the full product release.

Deploy Third party updates

If you want to deploy updates only related to third party applications, then specify the severity as Critical/Important/Moderate/Low/Unrated.
  Specify if you want to deploy all applications or if you would like to include/exclude a specific application.

Deploy Anti-virus updates

Select this option to deploy anti-virus definition updates for the following: Mcafee Virusscan Enterprise, Microsoft Forefront Endpoint Protection 2010 Server Management, Microsoft Forefront Endpoint Protection 2010 Server Management x64, Microsoft Forefront Client Security, Microsoft Forefront Client Security x64, Microsoft Security Essentials, Microsoft Security Essentials x64

Schedule Patch Deployment

You can choose to delay the deployment of patches to ensure its stability. You can either choose to deploy the patches after a specific number of days from the date of release or approval. 
For example, Assume, you specify the number of days as "5 days after release", then  the patches will be deployed only after 5 days, from the day it is updated in the Central Server Database. If you choose to deploy patches "after 5 days from approval", then  the patches will be deployed only after 5 days, from when the patch was marked as  approved. 

Choose Deployment Policy 

  • Customize the patching process according to your enterprise's requirements by configuring the Deployment Policy settings. 
  • The Deployment Policy details:
    1. Deployment frequency - Select how frequently you want to carry out the deployment
    2. Deployment window - The time interval during which patches need to be deployed
    3. Deployment will be initiated at - Select if deployment should happen during the system startup or the refresh cycle within the Deployment Window chosen.
  • If you have set any policy as default, then the default policy will be automatically applied to the configuration. 
  • Based on your requirements, you can choose from the available list of pre-defined policies or create a policy of your choice. 
  • Click on View Details to see policy details and the list of configurations to which the policy is applied to.
  • The Expiry setting allows to suspend a task after a specified period of time.

Define Target

  • Select the target computers for which deployment has to be performed. The target can be a whole domain or remote offices. If you select the entire domain as target, this will also include all the remote offices in that specific domain. 
  • You can filter targets based on sites, OU, Group, specific computers and more.
  • 'Exclude Target' allows you to select certain targets that you want to exclude from the patch deployment task. For example, you can exclude Server machines while deploying non-security updates.

Configure Notifications

Configure Notification settings to receive email notifications for the following : 

  1. Failure in the deployment/download of the APD task 
  2. Daily status reports on the APD task

Click on save to successfully create a task. Now all the chosen computers will automatically be deployed with the missing patches in the deployment window specified in the selected deployment policy.

Frequently asked questions

  1. If "Schedule scan" is removed, will I be able to scan my machines at all?
  2. Vulnerabilities keep increasing every day, we must have up to date scanned data of which computers on our network are missing critical and important patches. So, we have automated the scan task. After the Vulnerability database sync, if new patches are released when compared to the previous sync, agents will automatically scan in the subsequent refresh cycle.

  3. Will an automatic scan overburden the server with multiple requests? Will it choke the network traffic?
  4. Definitely not. The scan happens right after the database is synced. Every time the scan happens, the latest missing patches are detected and downloaded on to the server. We employ this effective mechanism of posting only the diff scan data(difference in the scan data between two consecutive scans), it will not overburden the server.
    Also, it will not affect the network traffic, since we don't initiate an on-demand scan from the server. It is similar to a configuration, the agents will scan only in their subsequent refresh cycle. So, the network traffic is distributed in the refresh interval and hence undisturbed.

  5. How to get reports of missing patches after the scan is completed?
  6. You can use Schedule Report. Reports -> Schedule Reports. You can get it easily by scheduling the reports to be emailed 2 hours from the database sync. Also you can configure it at any frequency as you wish.

  7. How to control deployment under the APD process?
  8. We can use the "Deployment policy" to control our date and time of deployment of the latest available patches. While the scan process is automated, you can set your own choice of deployment policies in accordance with the requirements that best suit your network environment.

  9. How do I view the report of patches to be installed in APD?
  10. You can just navigate to 'Patch View' from APD. APD --> Patch View

  11. I usually delay the patch installation by scheduling it 2 weeks after the 'Patch Tuesday'. How will things be different for me?
  12. No problem at all, you can still use "Deploy Patches After" option under APD, using which you can:

    • Deploy patches after 'x' days from release
    • Deploy patches after 'x' days from approval after testing
    • You can also tweak the deployment policy settings for a suitable deployment window.